The key challenge in an analysis of the PaC space is the relative maturity, scope, and purpose of the various offerings. Larger customers will typically want robust, well-managed and broad capabilities, while smaller customers may want more specific solutions. This document was organized across these different axes:
Maturity & Scope
Which solutions were meant for large-scale customers with extensive support for management, operations, workflows, support and services?
Distributed vs Centralized
Centralized solutions maintain the decisions centrally, requiring calls across the network to get answers.
Distributed solutions keep the PDPs (Policy Decision Points) close to the applications and services that need them, significantly reducing network latency.
Platform Attachment
Some products will only work within a particular product ecosystem, so if you don’t use that ecosystem, it’s much more difficult (if not impossible) to use that product.
Using these axes, we divide up the major vendors into key buckets:
Mature, Platform-Neutral Distributed Solutions
Mature, Platform-Neutral Centralized Solutions
Platform-Neutral Distributed Rising Stars
Platform-Neutral Centralized Rising Stars
Platform-Specific Solutions
We describe how various offerings fit into these buckets and then provide a series of comparison tables for various aspects of the solutions.
Styra DAS¹
OPA is by far the most flexible policy solution, offering capabilities far beyond just access control (such as infrastructure security, data transformation & validation, arbitrary other policies with variable inputs/outputs). For the purposes of a consistent enterprise-wide compliance solution, Styra DAS-managed OPAs are the best choice.
PlainID
PlainID offers centralized management of authorization policy and distributed PDPs and distributes the policies to PDPs out in the network. PlainID offers a business-friendly front-end for building policies, but it is customized for yes/no access control decisions. If you need a comprehensive compliance solution for infrastructure, access control, CI/CD security, Data protection, &etc, PlainID requires extensive customization, and you will spend a lot of time “fighting” with the system.
¹ Styra DAS is winding down operations and is not accepting new customers.
Axiomatics
XACML-based solution with strong adoption in regulated industries. Focused on access control and not designed for infrastructure or operational policies. In addition, as a centralized solution, it is not well-positioned to offer access control for microservices, Zero Trust implementations, etc.
NextLabs
Like Axiomatics, NextLabs uses XACML for centralized access control. It is heavily used in regulated industries for protecting Intellectual Property. As a centralized solution, it has the same drawbacks as Axiomatics.
Permit.io
Permit uses OPA as part of its PDP solution, but it (like most others) exclusively focuses on Access Control. So (like most of the others) not a generalized policy solution for infrastructure compliance, security review, CI/CD analysis, etc.
EnforceAuth
EnforceAuth was founded by Styra veterans as Styra was being shut down. They are stepping into the space left by Styra, offering a solution that allows customers to reuse their existing OPA infrastructure. This makes EnforceAuth’s offerings more flexible for compliance, infrastructure security and data protection, while simultaneously offering fast, local access control decisions as well.
Cerbos Cloud
Cerbos offers a custom PDP that uses YAML as its policy language. Like most other providers, it is focused on access control.
Oso
Oso provides a custom policy language (Polar) and is designed to be an SDK that is embedded directly in your applications. In this model, it is highly distributed, but as an embedded SDK, all the management is up to you. Oso Cloud is a hosted offering that takes over much of the management, but Oso Cloud is a centralized solution that requires network calls. In addition, Oso is focused on Access Control.
AuthZed
AuthZed offers ReBAC (Relationship-based Access Control) and uses Google Zanzibar as its reference. For situations where relationship-based access control is critical, AuthZed is an excellent choice. Again, focused on Access Control. You can use SpiceDB (the open-source heart of AuthZed) as a distributed solution, but if you want a managed provider, it needs to be the centralized AuthZed.
Permify
Permify is inspired by Zanzibar, but not a direct implementation. They are focused on smaller organizations but do offer an enterprise-grade service with unlisted pricing. Like other Zanzibar variants, they are exclusively focused on Access Control.
Okta FGA
Okta FGA is the hosted version of OpenFGA, backed by Okta, a major player in the Identity space. It is also based on Google Zanzibar. Okta manages all the policies and decisions centrally. Exclusively for Access Control
AWS Verified Permissions (AVP)
AVP is the AWS implementation of the Cedar policy language, and benefits from the rich ecosystem provided by Amazon. However, it must be centralized and must use the AWS infrastructure. It is also exclusively used for Access Control.
CyberArk Identity
Primarily focused on authentication. It supports Role-Based Access Control.
HashiCorp Sentinel
A Policy as Code solution for customers who use the HashiCorp ecosystem. It is not a general-purpose solution for Access Control.
SailPoint
SailPoint is primarily focused on identity management and offers some RBAC capabilities as part of that.
Policy Capabilities
IT Concerns
⁴ In other words, can a PDP still make decisions when the network has become segmented.
⁵ Typically, systems that support self-hosted can also provide air-gapped capabilities.
Bells and Whistles
⁶ This includes both controlling how AIs access your systems, as well as using AIs to help develop your rules.